Kaspersky Web Traffic Security (KWTS)
Kaspersky Web Traffic Security gateway logs — enterprise web proxy events covering allowed browsing, antivirus-scanned downloads, URL policy blocks, malware and phishing detections, and warning page redirects with custom kaspersky.kwts.* namespace fields in ECS-compatible JSON format.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/proxy-kaspersky-kwts/generator.yml \
--id proxy-kaspersky-kwts \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| allowed | Normal browsing traffic allowed through proxy | ~75% | web |
| allowed-scanned | File download scanned clean by antivirus engine | ~10% | web |
| blocked-policy | Blocked by URL filtering policy | ~6% | web |
| blocked-av | Blocked due to malware detection | ~4% | web |
| blocked-ap | Blocked due to phishing detection | ~3% | web |
| redirected | Redirected to warning page for risky content | ~2% | web |
Realism Features
- Kaspersky antivirus engine verdicts with threat names and severity levels
- URL category filtering with policy rule references
- Anti-phishing detection with confidence scores and phishing URL patterns
- HTTP method and MIME type distribution matching real proxy traffic profiles
- Custom kaspersky.kwts.* namespace for product-specific fields
- Russian-locale user and hostname pools for realistic CIS deployment scenarios
Sample Output
{
"@timestamp": "2026-03-07T14:22:05.000Z",
"event": {
"category": ["web"],
"type": ["access"],
"outcome": "success",
"action": "allowed",
"module": "kaspersky",
"dataset": "kaspersky.kwts"
},
"observer": {
"vendor": "Kaspersky",
"product": "Web Traffic Security",
"version": "6.1.0.4762",
"name": "KWTS-PROXY01",
"ip": "10.1.0.50"
},
"kaspersky": {
"kwts": {
"action": "Allow",
"scan_result": "Clean",
"processing_time_ms": 12
}
},
"url": {
"domain": "mail.yandex.ru",
"full": "https://mail.yandex.ru/inbox",
"scheme": "https"
},
"http": {
"request": { "method": "GET" },
"response": { "status_code": 200, "bytes": 45230 }
},
"source": {
"ip": "10.1.20.34",
"port": 52110
},
"user": { "name": "ivanov_av" },
"host": {
"hostname": "WS-BUH-PC03",
"ip": "10.1.20.34"
},
"related": {
"hosts": ["WS-BUH-PC03", "KWTS-PROXY01"],
"ip": ["10.1.20.34", "10.1.0.50"],
"user": ["ivanov_av"]
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| kwts_server | KWTS-PROXY01 | KWTS proxy server hostname |
| kwts_server_ip | 10.1.0.50 | KWTS proxy server IP address |
| kwts_version | 6.1.0.4762 | KWTS product version |
| agent_id | a1b2c3d4-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Nginx Access & Error Logs
Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.
Apache HTTP Server
Apache httpd access and error logs — page/asset/API requests, bot crawlers (Googlebot, GPTBot), scanner probes, 3xx redirects, and correlated 4xx/5xx error log entries with module context.
Cisco AnyConnect VPN
Cisco ASA AnyConnect SSL VPN — session lifecycle from RADIUS authentication through tunnel establishment, IP assignment, DAP policy evaluation, session roaming between gateways, to graceful disconnection.